New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 20 - INFORMATION SECURITY OPERATION MANAGEMENT
Section 1.12.20.17 - DEDICATED NETWORK CONNECTIONS

Universal Citation: 1 NM Admin Code 1.12.20.17

Current through Register Vol. 35, No. 18, September 24, 2024

A. The internet is inherently insecure, access to the internet is prohibited from any device that is connected (wired or wireless) to any part of the state network unless such access is authorized via exception signed by the state CIO. Such access includes accounts with third-party internet service providers.

B. Any dedicated network connection from the agency network to any external network (either within or outside state government) shall be first approved in writing by the DoIT.

C. Dedicated network connections shall be allowed after the requesting agency has presented its proposed network architecture for approval by the DoIT; DoIT will approve if the proposal has acceptable security controls and procedures in place, and appropriate security measures have been implemented by the agency to protect state network resources. The agency shall perform a risk analysis of the connection to ensure that the connection to the external network shall not compromise the agency's private network. The agency may require that additional controls, such as the establishment of firewalls and a DMZ (demilitarized zone) be implemented between the third-party connection and the agency.

(1) The business case for the dedicated connection is still valid and the dedicated connection is still required.

(2) The security controls are in place (e.g., filters, rules, access control lists) are current and are functioning correctly.

D. The dedicated connection to the agency network shall be accomplished by the agency in a secure manner to preserve the integrity of the agency network, preserve the integrity of the data transmitted over that network, and the availability of the network to the agency. Security requirements for each connection shall be assessed individually and permission to use such connection shall be driven by the specific business needs of the agency. Only agency CIO-approved and qualified staff or agency CIO-approved and qualified third-party shall be permitted to use sniffers or similar technology on the network to monitor operational data and security events.

E. The agency ISO or designee shall every six (6) months review external network connections, audit trails and system logs for abuses and anomalies.

F. Any agency-approved third-party network or workstation connection to an agency network shall:

(1) have written justification in the form of a clear business case provided to the agency CIO for any such network connection;

(2) sign an agency non-disclosure agreement ("NDA"); the non-disclosure agreement shall be signed by a duly appointed representative from the third-party organization who is legally authorized to sign such an agreement;

(3) have equipment in place that conforms to this rule and any other applicable state security standards, complies with the agency's technical architecture, and be approved in writing by the agency CIO; and

(4) use encryption to ensure the confidentiality and integrity of any sensitive or confidential data passing over the external network connection.

Disclaimer: These regulations may not be the most recent version. New Mexico may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.